Investigative journalist Ronan Farrow delves into the Pandora’s box that is Israel’s NSO Group, a company (now on a U.S. Commerce Department blacklist) that unleashes technologies that allow regimes and cartels to transform any smartphone into a comprehensive spying device. One NSO brainchild is Pegasus, the software that reports every email, text, and search performed on smartphones, while turning their cameras and microphones into 24-hour surveillance devices. It’s enough to give Orwell’s Big Brother feelings of inadequacy. Farrow covers well-tread stories he has long followed in The New Yorker, also reported by many U.S. and British journalists, and well explored in this blog. Farrow recounts the litany of crimes in which Pegasus and NSO are implicated. These include Saudi Arabia’s murder of Jamal Khashoggi, the murder of Mexican journalists by the cartels, and the surveillance of pro-independence politicians in Catalonia and their extended families by Spanish intelligence. In the latter case, Farrow turns to Toronto-based Citizen Lab to confirm that one Catalonian politician’s sister and parents were comprehensively surveilled. The parents were physicians, so Spanish intelligence also swept up the confidential information of their patients as well. While the reality portrayed by Surveilled is a familiar one to readers of this blog, it drives home the horror of NSO technology as only a documentary with high production values can do. Still, this documentary could have been better. The show is marred by too many reaction shots of Farrow, who frequently mugs for the camera. It also left unasked follow-up questions of Rep. Jim Himes (D-CT), Ranking Member of the House Intelligence Committee. In his sit-down with Farrow, Himes made the case that U.S. agencies need to have copies of Pegasus and similar technologies, if only to understand the capabilities of bad actors like Russia and North Korea. Fair point. But Rep. Himes seems oblivious to the dangers of such a comprehensive spyware in domestic surveillance. Rep. Himes says he is not aware of Pegasus being used domestically. It was deployed by Rwandan spies to surveil the phone of U.S. resident Carine Kanimba in her meetings with the U.S. State Department. Kanimba was looking for ways to liberate her father, settled in San Antonio, who was lured onto a plane while abroad and kidnapped by Rwandan authorities. Rep. Himes says he would want the FBI to have Pegasus at its fingertips in case one of his own daughters were kidnapped. Even civil libertarians agree there should be exceptions for such “exigent” and emergency circumstances in which even a warrant requirement should not slow down investigators. The FBI can already track cellphones and the movements of their owners. If the FBI were to deploy Pegasus, however, it would give the bureau redundant and immense power to video record Americans in their private moments, as well as to record audio of their conversations. Rep. Himes is unfazed. When Farrow asks how Pegasus should be used domestically, Rep. Himes replies that we should “do the hard work of assessing that law enforcement uses it consistent with our civil liberties.” He also spoke of “guardrails” that might be needed for such technology. Such a guardrail, however, already exists. It is called the Fourth Amendment of the Constitution, which mandates the use of probable cause warrants before the government can surveil the American people. But even with probable cause, Pegasus is too robust a spy tool to trust the FBI to use domestically. The whole NSO-Pegasus saga is just one part of much bigger story in which privacy has been eroded. Federal agencies, ranging from the FBI to IRS and Homeland Security, purchase the most intimate and personal digital data of Americans from third-party data brokers, and review it without warrants. Congress is even poised to renege on a deal to narrow the definition of an “electronic communications service provider,” making any office complex, fitness facility, or house of worship that offers Wi-Fi connections to be obligated to secretly turn over Americans’ communications without a warrant. The sad reality is that Surveilled only touches on one of many crises in the destruction of Americans’ privacy. Perhaps HBO should consider making this a series. They would never run out of material. Catastrophic ‘Salt Typhoon’ Hack Shows Why a Backdoor to Encryption Would be a Gift to China11/25/2024
Former Sen. Patrick Leahy’s Prescient Warning It is widely reported that the breach of U.S. telecom systems allowed China’s Salt Typhoon group of hackers to listen in on the conversations of senior national security officials and political figures, including Donald Trump and J.D. Vance during the recent presidential campaign. In fact, they may still be spying on senior U.S. officials. Sen. Mark Warner (D-VA), Chairman of the Senate Intelligence Committee, on Thursday said that China’s hack was “the worst telecom hack in our nation’s history – by far.” Warner, himself a former telecom executive, said that the hack across the systems of multiple internet service providers is ongoing, and that the “barn door is still wide open, or mostly open.” The only surprise, really, is that this was a surprise. When our government creates a pathway to spy on American citizens, that same pathway is sure to be exploited by foreign spies. The FBI believes the hackers entered the system that enables court-ordered taps on voice calls and texts of Americans suspected of a crime. These systems are put in place by internet service providers like AT&T, Verizon, and other telecoms to allow the government to search for evidence, a practice authorized by the 1994 Communications Assistance for Law Enforcement Act. Thus the system of domestic surveillance used by the FBI and law enforcement has been reverse-engineered by Chinese intelligence to turn that system back on our government. This point is brought home by FBI documents PPSA obtained from a Freedom of Information Act request that reveal a prescient question put to FBI Director Christopher Wray by then-Sen. Patrick Leahy in 2018. The Vermont Democrat, now retired, anticipated the recent catastrophic breach of U.S. telecom systems. In his question to Director Wray, Sen. Leahy asked: “The FBI is reportedly renewing a push for legal authority to force decryption tools into smartphones and other devices. I am concerned this sort of ‘exceptional access’ system would introduce inherent vulnerabilities and weaken security for everyone …” The New York Times reports that according to the FBI, the Salt Typhoon hack resulted from China’s theft of passwords used by law enforcement to enact court-ordered surveillance. But Sen. Leahy correctly identified the danger of creating such domestic surveillance systems and the next possible cause of an even more catastrophic breach. He argued that a backdoor to encrypted services would provide a point of entry that could eventually be used by foreign intelligence. The imperviousness of encryption was confirmed by authorities who believe that China was not able to listen in on conversations over WhatsApp and Signal, which encrypt consumers’ communications. While China’s hackers could intercept text messages between iPhones and Android phones, they could not intercept messages sent between iPhones over Apple’s iMessage system, which is also encrypted. Leahy asked another prescient question: “If we require U.S. technology companies to build ‘backdoors’ into their products, then what do you expect Apple to do when the Chinese government demands that Apple help unlock the iPhone of a peaceful political or religious dissident in China?” Sen. Leahy was right: Encryption works to keep people here and abroad safe from tyrants. We should heed his warning – carving a backdoor into encrypted communications creates a doorway anyone might walk through. When police send Emergency Data Requests (EDRs) to communications companies like Verizon or Google, they attest that a victim is in danger of serious bodily harm or death unless certain private information about a suspect can be produced. An EDR blows the doors off of any requirement to attach a subpoena or court order with a judge’s signature to honor the requests. Companies usually produce the digital information of the targeted suspect with alacrity. Now the FBI is warning that hackers are worming their way into law enforcement cyber-systems in the United States and around the world, using stolen police credentials to send fake EDRs to steal the private information of innocent people. The potential exists for cybercriminals to issue fake freeze orders on people’s financial accounts, and then follow up with a seizure of assets, diverting funds to a fake custodial wallet that appears to be government-owned. For $1,000 to $3,000, a cybercriminal named Pwnstar will sell buyers police credentials for EDRs in 25 countries, including the United States. “This is social engineering at its highest level and there will be failed attempts at times,” Pwnstar assures his customers on the dark web. He presents himself as a fair businessman, offering to give refunds in the minority of attempts that fail. Krebs on Security reports that Kodex, a company founded by a former FBI agent to identify fake EDRs, found that of 1,597 EDRs it has processed, 485 failed a second-level verification. This status quo puts communications companies in a bind. Krebs writes that “the receiving company finds itself caught between unsavory outcomes: Failing to immediately comply with an EDR – and potentially having someone’s blood on their hands – or possibly leaking a customer record to the wrong person.” What can be done? First, all law enforcement agencies in the United States need to tighten up their digital hygiene to the highest professional levels. An FBI factsheet offers a detailed list of specific security steps police should take, ranging from evaluating the reliability of vendors, to being on the lookout for images that appear doctored or pasted, to strong password protocols, to phishing-resistant multifactor authentication for all services. Finally, the FBI recommends that local law enforcement agencies establish and maintain strong liaison relationships with their local FBI field office. The FBI says it is ready to identify departments’ vulnerabilities and help them mitigate threats. A whitepaper from social media company Meta presents a startling new reality in bland language. It claims that magnetoencephalography (MEG) neural imaging technology “can be used to decipher, with millisecond precision, the rise of complex representations generated in the brain.”
In layman’s terms, AI can crunch a person’s brainwaves and apply an image generator to create an astonishingly accurate representation of what a person has seen. Paul Simon was right, these really are the days of miracles and wonders – and also of new threats to personal privacy. (If you want to see this science-fictional sounding technology in action, check out these images from science.org to see how close AI is to representing images extrapolated from brain waves.) Until now, even in a total surveillance state such as North Korea or China, netizens could have their faces, movements, emails, online searches and other external attributes recorded throughout the day. But at least they could take comfort that any unapproved thoughts about the Dear Leader and his regime were theirs and theirs alone. That is still true. But the robustness of this new technology indicates that the ability of brain data to fully read minds is not far off. Researchers in China in 2022 announced technology to measure a person’s loyalty to the Chinese Communist Party. A number of non-invasive brain-wave reading helmets are on the U.S. market for wellness, education, and entertainment. The Members of the California State Assembly and Senate were sufficiently alarmed by these developments to follow the example of Colorado and regulate this technology. This new law amends the California Consumer Privacy Act to include “neural data” under the protected category of “personal sensitive information.” On Saturday, Gov. Gavin Newsom signed that bill into law. Under this new law, California citizens can now request, delete, correct, and limit what neural data is being collected by big tech companies. We know what you’re thinking, would I be sufficiently concerned about my privacy that I would register with a state-mandated database to make changes to my privacy profile? Actually, that was just our best guess about what you’re thinking. But give it a few years. Imagine this scenario: It’s early evening, and you and your special someone are on the couch preparing to binge-watch your favorite streaming show.
Ding-dong. You answer the door and, as you hoped, it is the dinner delivery person. He hands you your prepaid, pre-tipped meal and you start to shut the door when the delivery worker puts his foot down, blocking you. He snaps a picture over your shoulder and asks: “Why is the wall over your couch bare? It should have a picture of the Dear Leader. I now have no choice but to report you.” This fantastical scenario of a police state enlisting food delivery workers as auxiliary police is taking place, for real, in the People’s Republic of China, according to disturbing reports from Radio Free Asia. Beijing recently posted a directive: “We will hire a group of online delivery personnel with a strong sense of responsibility to serve as part-time social supervisors and encourage them to take part in grassroots governance through snapshots and snap reports …” Radio Free Asia reports that this program is being expanded in China’s annexed territory of Tibet, where food delivery workers are being recruited to perform “voluntary patrol and prevention work.” In addition, Chinese police are requiring Tibetans to revise their personal passwords on their social media accounts, link them to their personal cellphones and identity cards, and make it all accessible to the government. Police are also stopping Tibetans in Lhasa to check their cellphones for virtual private networks, or VPNs, that allow users to get around the “Great Firewall of China,” the government’s restrictive controls on the internet. We can shake our heads and laugh. But the fundamental principle of coopting private-sector industries for internal surveillance is one that is gaining purchase in our own country. The federal government isn’t so crude as to turn the Domino’s pizza delivery guy into a spy. But federal agencies can extract Americans’ personal data from FISA Section 702, even though this program was enacted by Congress not to spy on Americans, but to surveil foreign threats on foreign soil. Prosecutors in the United States can extract information about witnesses and criminal defendants from telecoms and service providers of emails, cloud computing, and online searches, then gag those same companies with a non-disclosure order, which keeps them from ever informing their customers they were surveilled. The good news is that more and more Members of Congress are awakening to the threat of a home-grown American surveillance state. The recent reauthorization of Section 702 sets up a debate over the reach of this program in early 2026. The House passed a measure called the NDO Fairness Act, which would limit non-disclosure orders, putting the onus on the Senate to follow suit. The field of surveillance is one area in which public-private partnerships can go very wrong. Unlike China, however, America is still a democracy with a Congress that can counter expansive government threats to our privacy. Earlier this year, students in a high school art class were called to a meeting of administrators to defend the contents of their art portfolio.
This happened after Lawrence High School in Lawrence, Kansas, signed a $162,000 contract with Gaggle safety software to review all student messages and files for issues of concern. Gaggle had flagged the digital files of the students’ art portfolio for containing nudity. The students vehemently protested that there was no nudity at all in their work. But it was a hard case to make considering that the files had already been removed from the students accounts so the student artists themselves couldn’t refer to it. Max McCoy, a writer with the nonprofit news organization The Kansas Reflector, wrote that if you’re a Lawrence High student, “every homework assignment, email, photo, and chat on your school-supplied device is being monitored by artificial intelligence for indicators of drug and alcohol use, anti-social behavior, and suicidal inclinations.” The same is true of many American high schools from coast-to-coast. Gaggle claims to have saved an estimated 5,790 student lives from suicide between 2018 and 2023 by analyzing 28 billion student items and flagging 162 million for reviews. McCoy took a hard look this incredibly specific number of lives saved, finding it hard to validate. Simply put, Gaggle counts each incident of flagged material that meets all safety criteria as a saved life. Still, it is understandable that school administrators would want to use any tool they could to reduce the potential for student suicide (the second-leading cause of death among Americans 15-19), as well as reduce the threat of school violence that has plagued the American psyche for decades now. But is an artificial surveillance regime like Gaggle the way to do it? McCoy likens Gaggle to the science-fictional “precrime” technology in the Philip K. Dick novel and Stephen Spielberg movie Minority Report. But could Gaggle technology in its actual use be more like the utterly dysfunctional totalitarian regime depicted in the classic movie Brazil? McCoy reports that a cry for help from one student to a trusted teacher was intercepted and rerouted to an administrator with whom the student has no relationship. The editors of the Lawrence student paper, The Budget, are concerned about Gaggle’s intrusion into their newsgathering, notes, and other First Amendment-protected activities. McCoy quotes Rand researchers who recently wrote, “we found that AI based monitoring, far from being a solution to the persistent and growing problem of youth suicide, might well give rise to more problems than it seeks to solve.” It is one thing to keep tabs on student attitudes and behavior. Spyware technology over all student messages and content looks pointlessly excessive. Worse, it trains the next generation of Americans to be inured to a total surveillance state. The City of Denver is reversing its previous stance against the use of police drones. The city is now buying drones to explore the effectiveness of replacing many police calls with remote aerial responses. A Denver police spokesman said that on many calls the police department will send drones first, officers second. When operators of drones see that a call was a false alarm, or that a traffic issue has been resolved, the police department will be free to devote scarce resources to more urgent priorities.
Nearby Arapahoe County already has a fleet of 20 such drones operated by 14 pilots. Arapahoe has successfully used drones to follow suspects fleeing a crime, provide live-streamed video and mapping of a tense situation before law enforcement arrives, and to look for missing people. In Loveland, Colorado, a drone was used to deliver a defibrillator to a patient before paramedics were able to get to the scene. The use of drones by local law enforcement as supplements to patrol officers is likely to grow. And why not? It makes sense for a drone to scout out a traffic accident or a crime scene for police. But as law enforcement builds more robust fleets of drones, they could be used not just to assess the seriousness of a 911 call, but to provide the basis for around-the-clock surveillance. Modern drones can deliver intimate surveillance that is more invasive than traditional searches. They can be packed with cell-simulator devices to extract location and other data from cellphones in a given area. They can loiter over a home or peek in someone’s window. They can see in the dark. They can track people and their activities through walls by their heat signatures. Two or more cameras combined can work in stereo to create 3D maps inside homes. Sensor fusion between high definition, fully maneuverable cameras can put all these together to essentially give police an inside look at a target’s life. Drones with such high-tech surveillance packages can be had on the market for around $6,000. As with so many other forms of surveillance, the modest use of this technology sounds sensible, until one considers how many other ways they can be used. Local leaders at the very least need to enact policies that put guardrails on these practices before we learn, the hard way, how drones and the data they generate can be misused. Why did the “unmasking” of Americans’ identities in the global data trawl of U.S. intelligence agencies increase by 172 percent, from 11,511 times in 2022 to 31,330 times in 2023?
Government officials briefing the media say that most of this increase was a defensive response to a hostile intelligence agency launching a massive cyberattack on U.S. infrastructure, possibly infiltrating the digital systems of dams, power plants, or the like. What we do know for sure is that this authority has been abused before. Unmasking occurs when American citizens or “U.S. persons” are caught up, incidentally, in warrantless foreign surveillance. When this happens, the identities of these Americans are routinely hidden from government agents, or “masked.” But senior officials can request that the NSA “unmask” those individuals. This should be a relatively rare occurrence. Yet for some reason, over a 12-month period between 2015 and 2016, the Obama Administration unmasked 9,217 persons. Former UN Ambassador Samantha Power, or someone acting in her name, was a prolific unmasker. Power’s name was used to request unmasking of Americans more than 260 times. Large-scale unmasking continued under the Trump administration, with 2018 seeing 16,721 unmaskings, an increase of 7,000 from the year before. In recent years, the number hovered around 10,000. Now it is three times that many. This is a concern if some subset of these unmaskings (which mostly involve an email account or IP address, not a name) were for named individuals for political purposes. Consider that in 2016, at least 16 Obama administration officials, including then-Vice President Joe Biden, requested unmaskings of Donald Trump’s advisors. Outgoing National Security Advisor Susan Rice took a particular interest in unmasking members of President-elect Trump’s transition team. We are left to wonder if all of this rise in unmasking numbers can be explained away by Chinese or Russian hackers, or if some portion of them reflect the use of this authority for political purposes. Were prominent politicians, officeholders, or candidates unmasked? These raw numbers come from the government’s Annual Statistical Transparency report. This report on intelligence community activities from the Office of the Director of National Intelligence offers revealing numbers, but often without detail or explanation that would explain such jumps. All we have to rely on are media briefs that at times seem more forthcoming than the briefings available to Members of Congress, even those tasked with oversight of intelligence agencies in the House and Senate Judiciary Committees. As these numbers rise, the American people deserve more information and a solid assurance that these authorities will never again be used for political purposes by either party. A federal court has given the go-ahead for a lawsuit filed by Just Futures Law and Edelson PC against Western Union for its involvement in a dragnet surveillance program called the Transaction Record Analysis Center (TRAC).
Since 2022, PPSA has followed revelations on a unit of the Department of Homeland Security that accesses bulk data on Americans’ money wire transfers above $500. TRAC is the central clearinghouse for this warrantless information, recording wire transfers sent or received in Arizona, California, New Mexico, Texas, and Mexico. These personal, financial transactions are then made available to more than 600 law enforcement agencies – almost 150 million records – all without a warrant. Much of what we know about TRAC was unearthed by a joint investigation between ACLU and Sen. Ron Wyden (D-OR). In 2023, Gene Schaerr, PPSA general counsel, said: “This purely illegal program treats the Fourth Amendment as a dish rag.” Now a federal judge in Northern California determined that the plaintiffs in Just Future’s case allege plausible violations of California laws protecting the privacy of sensitive financial records. This is the first time a court has weighed in on the lawfulness of the TRAC program. We eagerly await revelations and a spirited challenge to this secretive program. The TRAC intrusion into Americans’ personal finances is by no means the only way the government spies on the financial activities of millions of innocent Americans. In February, a House investigation revealed that the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has worked with some of the largest banks and private financial institutions to spy on citizens’ personal transactions. Law enforcement and private financial institutions shared customers’ confidential information through a web portal that connects the federal government to 650 companies that comprise two-thirds of the U.S. domestic product and 35 million employees. TRAC is justified by being ostensibly about the border and the activities of cartels, but it sweeps in the transactions of millions of Americans sending payments from one U.S. state to another. FinCEN set out to track the financial activities of political extremists, but it pulls in the personal information of millions of Americans who have done nothing remotely suspicious. Groups on the left tend to be more concerned about TRAC and groups on the right, led by House Judiciary Chairman Jim Jordan, are concerned about the mass extraction of personal bank account information. The great thing about civil liberties groups today is their ability to look beyond ideological silos and work together as a coalition to protect the rights of all. For that reason, PPSA looks forward to reporting and blasting out what is revealed about TRAC in this case in open court. Any revelations from this case should sink in across both sides of the aisle in Congress, informing the debate over America’s growing surveillance state. Will Dream Security Tech Be Marketed More Ethically than Pegasus?According to the Wall Street Journal, Shalev Hulio, former chief executive of NSO Group, the company behind the controversial Pegasus spyware, has launched a new cybersecurity firm in the wake of the Israel-Hamas war. The company, Dream Security, uses artificial intelligence to identify and analyze cyber threats.
So far, the company is already valued at more than $200 million, with customers in Israel and Europe. The need is obvious: European governments and other critical infrastructure have seen increased cyber risks since Russia invaded Ukraine in February 2022. After the recent Hamas raid and atrocities, Israel itself has become a red-hot target. Israel needs and deserves every advantage it can muster in protecting itself. But given the history of NSO and Pegasus, we must raise concern about the risks if Dream Security products were to be sold – as Pegasus was – to irresponsible and dangerous foreign governments and hostile actors. Pegasus has already been implicated in facilitating the murder of journalists and at least one dissident, spying on State Department discussions about an abducted American, and used by politicians in Spain and India against journalists and rivals. Artificial intelligence is a nascent technology. There is no telling how it may yet impact the evolving nature of modern warfare, even if developed for defensive purposes. We support any technology that enhances the security of the Israeli people. But it is in everybody’s best interests that Dream Security commits to only doing business with responsible state and corporate actors. PPSA will be monitoring this story as it develops. Apple Sends Notice of Hack Pegasus – the Israeli-made spyware – continues to proliferate and enable bad actors to persecute journalists, dissidents, opposition politicians, and crime victims around the world.
This spyware transforms a smartphone into the surveillance equivalent of a Swiss Army knife. Pegasus has a “zero-day” capability, able to infiltrate any Apple or Android phone remotely, without requiring the users to fall for a phishing scam or click on some other trick. Once uploaded, Pegasus turns the victim’s camera and microphone into a 24/7 surveillance device, while also hoovering up every bit of data that passes through the device – from location histories to text, email, and phone messages. We’ve written about how Mexican cartels have used Pegasus to track down and murder journalists. We’ve covered the role of Pegasus in the murder of Saudi dissident Adnan Khashoggi, and how an African government used it to spy on an American woman while she was receiving a briefing inside a State Department facility on her father’s abduction. Now fresh evidence from Apple alerts shows how Pegasus continues to be used by governments to spy on political opponents. Journalists have learned that the Israeli-based NSO Group has sold its spyware to at least 10 governments. Two years ago, it was revealed that a government had used Pegasus to surveil Spanish politicians, including the prime minister, as well as regional politicians. Now it is happening in India. On Oct. 31, just in time for Halloween, Apple sent notices to more than 20 prominent journalists, think tank officials, and politicians in opposition to Prime Minster Narenda Modi that hacking attempts had been made on their smartphones. In 2021, The Washington Post and other media organizations investigated a list obtained by Forbidden Stories, a Paris-based non-profit media outlet, tracking down more than 1,000 phone numbers of hundreds of prominent Indians who were set to be surveilled by Pegasus. This plan now seems to have been executed, at least in part. “Spyware technology has been used to clamp down on human rights and stifle freedom of assembly and expression,” said Likhita Banerj of Amnesty International. “In this atmosphere, the reports of prominent journalists and opposition leaders receiving the Apple notifications are particularly concerning in the months leading up to state and national elections.” Yesterday Spain, today India, tomorrow the United States? It is public knowledge that the FBI owns a copy of Pegasus and that a recent high-level government attorney from the intelligence community has signed on to represent the NSO Group. This is all the more reason for Congress to pass serious reforms to Section 702 of the Foreign Intelligence Surveillance Act, to curtail all forms of illicit government surveillance of Americans. PPSA will continue to monitor this story. Long Lake Township v. Maxon In a brief before the Michigan Supreme Court, PPSA alerted the court to the danger of intimate searches of home and residents by relatively inexpensive drones now on the market.
Commercially available drones have thermal cameras that can penetrate beyond what is visible to the naked eye. They can be equipped with animal herd tracking algorithms that can enhance the surveillance of people. Drones can swarm and loiter, providing round-the-clock surveillance. They can carry lightweight, cell-site simulators that prompt the mobile phones of people inside the targeted home to give up data that reveals deeply personal information. Furthermore, PPSA’s brief states that drones “can see around walls, see in the dark, track people by heat signatures, and recognize and track specific people by their face.” These are some of the ramifications of a case now before the Michigan Supreme Court. This case began when Long Lake Township in Michigan, suspecting that Todd and Heather Maxon had violated an agreement not to add to a scrap pile of old cars on their five-acre estate, hired a private drone photography business to investigate. No warrant was issued for this surveillance. Michigan’s top court is now reviewing the ruling by a lower court that found that while warrantless drone surveillance of a residence violated the Fourth Amendment, the evidence should not be excluded from this civil case. PPSA argues that this lack of exclusion of tainted evidence threatens to open a Pandora’s box of pervasive surveillance that could pierce the privacy of virtually anyone inside any structure. PPSA cites ample precedent for the exclusion of the Maxon evidence. In Carpenter v. United States (2018), the U.S. Supreme Court made it clear that the Fourth Amendment applies to digital technologies. In that case, the Court excluded location information derived without a warrant from mobile phones. In Kyllo v. United States (2001), the Court found that the use of thermal images – which reveals the heat signature emanating from inside a home – requires a warrant. Compare Kyllo’s comparatively mild surveillance to the “stereo-camera” configuration of many commercially available drones that enable reconstruction of 3D images from 2D cameras. Such surveillance goes well beyond Kyllo, in which police simply used heat radiating from the external surface of the house to detect marijuana cultivation. “Ready-made drone packages, specifically designed for thermal surveillance flights, with the ability to create 3-dimensional maps from their footage, can be had for around $6,000,” PPSA informed the court. “For less than $10,000, police can obtain a specialized drone with superhuman sensory abilities and better maneuverability than a multi-million-dollar helicopter or plane,” PPSA told the court. Drone’s warrantless extraction of personal information far exceeds the Carpenter warrant requirement. PPSA’s filing addresses an error by the lower court. The Michigan Court of Appeals recognized that the Township had violated the Fourth Amendment in its use of drones. That court nonetheless found that the exclusionary rule did not apply in Maxon. PPSA declared: “The Exclusionary Rule is a judicially crafted remedy that gives teeth to the Fourth Amendment by excluding illegally obtained evidence when the privacy value of enforcing Constitutional rights outweighs social harm from excluding evidence.” PPSA concluded: “If the Fourth Amendment is to have any real meaning in this context, evidence obtained by illegal drone surveillance must be subject to exclusion.” The Michigan Supreme Court is hearing oral argument on this case this week. PPSA will follow the outcome of this important, precedent-setting case. An Example of American Techno-Masochism PPSA works hard to counter growing government surveillance. This generally means surveillance by U.S. federal agencies – such as FISA’s Section 702 authority passed by Congress for foreign surveillance but used to spy on Americans. We also scrutinize expanding surveillance by state and local police, including cell-site simulators that trick your smartphone into giving up your location and other information, and ubiquitous facial recognition software that can follow you around.
But our concerns about government surveillance don’t end with just our government. We are increasingly concerned about the regular and sometimes pervasive surveillance of Americans by the People’s Republic of China, most recently the potential for Beijing to use TikTok as a way to track 80 million Americans. Now, thanks to an investigative piece in The Free Press, we’ve learned that China is also looking to surveil Americans through an increasingly common technology in American cars – LIDAR, or Light Detection and Ranging. This is the system that allows self-driving and semiautonomous cars to track the traffic around them. LIDAR is also, The Free Press reports, “a mapping technology, an aid to the growing number of smart cities, a tool for robotics, farming, meteorology, you name it.” Who is the dominant manufacturer and seller of LIDAR technology in the United States? It is Hesai, a Chinese company that sells nearly one out of every two LIDAR systems globally. In sales, it far outsells all of its American competitors together. China is relying on an old playbook to dominate the U.S. and world markets in LIDAR. The Free Press reports that Hesai does this by offering a solid product, but one backed by Chinese subsidies to sell at below price. Why would they do that? An explanation comes from Sen. Ted Budd (R-NC), who fired off a letter earlier this summer to the Assistant Secretary of Defense for Industrial Base Policy. “[I]t is my understanding that the Chinese LIDAR companies are working with the Chinese Government and the People’s Liberation Army (PLA) to improve this technology and leverage it for Chinese military applications. Simultaneously, these companies have been flooding the U.S. market with low-cost, heavily subsidized Chinese LIDAR, potentially enabling the Chinese to collect a trove of valuable information … “Moreover, the Chinese Government is using LIDAR sensors to conduct police surveillance in the Xinjiang Uyghur Autonomous Region, where evidence suggests China is engaged in ongoing genocide of the Uyghur people.” Given that Chinese law enforces a “military-civil fusion” strategy on Chinese businesses, requiring every Chinese organization and citizen to “support, assist, and cooperate with the state intelligence work,” why on earth would we allow that same government to be able to spy on every American in every near-future car? It is one thing to be forced into the position of the Uyghurs. It is quite something else for the United States to willingly submit to techno-masochism. PPSA previously commented on a New York Times scoop in April that revealed a contractor for the U.S. government had purchased and used a spy tool from NSO, the Israeli firm that developed and released Pegasus software into the wild – which can turn smartphones into pervasive surveillance tools.
The White House was surprised that its own government did business with NSO a few days after the administration had put that firm on the no-business “Entity List.” NSO was placed on this blacklist because its products, the U.S. Commerce Department declared, “developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.” Understandably upset, the White House tasked the FBI to sleuth out who in the government might have violated the blacklist and used the software. Mark Mazzetti, Ronen Bergman, and Adam Goldman of The Times report that months later the FBI has come back with a definitive identification of this administration’s scofflaw. The FBI followed the breadcrumbs and discovered, you guessed it, that it was the FBI. Fortunately, the FBI did not purchase the “zero-day” spyware Pegasus, but another spy tool called Landmark, which pings the cellphones of suspects to track their movements. The FBI says it used the tool to hunt fugitives in Mexico. It also claims that the middleman, Riva Networks of New Jersey, had misled the FBI about the origins of Landmark. Director Christopher Wray discontinued this contract when it came to light. Meanwhile, The Times reports that two sources revealed that contrary to the FBI’s assertions, cellphone numbers were targeted in Mexico in 2021, 2022, and into 2023, far longer than the FBI says Landmark was used. We should not overlook the benefits of such FBI investigations. In fact, PPSA has a tip to offer. We suggest that the FBI track down the government bureau that has been routinely violating the U.S. Constitution by conducting backdoor searches with FISA Section 702 material, as well as warrantlessly surveilling Americans purchased data. More to follow. The unanimous passage of the Fourth Amendment Is Not for Sale Act by the House Judiciary Committee, as well as the expiration of Section 702 of the Foreign Intelligence Surveillance Act, is spurring the National Security Agency into a furious lobbying campaign of the public and Congress to stop surveillance reform.
NSA lobbyists argue that it would be hobbled by the House measure, which would require agencies to obtain a probable cause warrant before purchasing Americans’ private data. Former intelligence community leaders are also making public statements, arguing that passage of Section 702 of the Foreign Intelligence Surveillance Act (FISA) with any meaningful changes or reforms would simply be too dangerous. George Croner, former NSA lawyer, is one of the most active advocates of the government’s “nothing to see here, folks” position. In March, Croner portrayed proposals for a full warrant requirement as a new and radical idea. He quoted two writers that concern over warrantless, backdoor searches is a concern of “panicky civil libertarians” and right-wing conspiracy theorists. In a piece this week, Croner co-authored a broadside against the ACLU’s analysis of the NSA’s and FBI’s mass surveillance. For example, Croner asserts that civil liberties critics are severely undercounting great progress the FBI has made in in reducing U.S. person queries, a process in which agents use the names, addresses, or telephone numbers of Americans to extract their private communications. Croner celebrates a 96 percent reduction in such queries in 2022 as a result of process improvements within the FBI. But, to paraphrase the late, great Henny Youngman, 96 percent of what? Ninety-six percent of a trillion data points? A quadrillion? The government’s numbers are murky and ever-changing, but the remaining amount appears, at the very least if you take these numbers at face value, to constitute well over 200,000 warrantless searches of Americans. Elizabeth Goitein of the Brennan Center for Justice, who has placed her third installment in a series on Section 702 in the online outlet Just Security – a masterclass on that program and why it must be reformed – has her own responses to Croner. While Croner portrays a warrant requirement for reviewing Americans’ data as a dangerous proposal, Goitein sees such a requirement as way to curb “backdoor searches,” and return to the guarantees of the Fourth Amendment. Goitein writes: “For nearly a decade, advocates, experts, and lawmakers have coalesced around a backdoor search solution that would require a warrant for all U.S. person queries conducted by any U.S. agency. Indeed, some broadly supported proposals have gone even further and restricted the type of information the government could obtain even with a warrant.” She describes a Review Group on Intelligence and Communications Technologies that included many, like former CIA acting director Michael J. Morrell, who are anything but panicky civil libertarians. This group nevertheless found it responsible to recommend warrants “based on probable cause” before surveilling a United States person. Other supporters of probable cause warrants range from Rep. Thomas Massie (R-KY) and Zoe Lofgren (D-CA), to Sens. Dianne Feinstein (D-CA), Mike Lee (R-UT), and former Sen. Kamala Harris (D-CA). They all saw what Goitein describes: “Without such a measure, Section 702 will continue to serve as an end-run around the protections of the Fourth Amendment and FISA, and the worst abuses of the power to conduct U.S. queries will continue.” We eagerly await ACLU’s response to Croner’s critique. Such debates, online and perhaps in person, are the only way to winnow out who is being candid and who is being too clever by half. It is a healthy development for intelligence and civil libertarian communities to debate their clashing views before the American people and the Congress rather than leave the whole discussion to secret briefings on Capitol Hill. The digital trail you leave behind can be used to create a profile of you by your race, religion, gender, sexual orientation, financial issues, personal medical history, mental health, and your physical location.
PPSA has long warned against the routine sale of our personal and sensitive information scraped from apps and sold to U.S. federal agencies by data brokers. The general counsels of these law enforcement and intelligence agencies claim that they are not violating the Fourth Amendment prohibition against warrantless search and seizure because they are not seizing our data at all. They’re just buying it. That is galling enough, but what about hostile governments accessing your most personal information? They have no guardrails and would surely have no scruples in using your information against you and, for those in the military or other sensitive positions, the United States. Under Chinese law, China’s technology companies are obligated to share their data with Chinese intelligence. Imagine all the data Chinese military, intelligence, and commercial actors have on the 80 million American users of TikTok. Then multiply that by all the data China acquires through legal, commercial means. “Massive pools of Americans’ sensitive information – everything from where we go, to what we buy and what kind of health care services we receive – are for sale to buyers in China, Russia and nearly anyone with a credit card,” said Sen. Ron Wyden, (D-OR), sponsor of the Protecting Americans’ Data from Foreign Surveillance Act of 2023. “The privacy and security of our data is essential to the freedoms we hold dear,” said co-sponsor Sen. Cynthia Lummis (R-WY). “If foreign adversaries can access our data, they can control it.” Their bill is also supported in the Senate by Sens. Sheldon Whitehouse (D-RI), Bill Hagerty (R-TN), Martin Heinrich (D-NM), and Marco Rubio (R-FL). It is supported in the House by Rep. Warren Davidson (R-OH) and Rep. Anna Eshoo (D-CA). This bill would apply tough criminal and civil penalties to prevent employees of foreign corporations like TikTok from accessing U.S. data from abroad. “Freedom surrendered is rarely reclaimed,” said Rep. Davidson. PPSA agrees and supports this bill. “The need to address foreign exploitation of Americans’ data is urgent,” said Bob Goodlatte, former House Judiciary Committee Chairman and Senior Policy Advisor to PPSA. “This legislation should also prompt us to get our own house in order. Members should address exploitation of our personal information by our government. I hope every member who signs on to this bill supports requiring the U.S. government to obtain a warrant when it wishes to inspect our commercially acquired information, as well as data from Section 702 of the Foreign Intelligence Surveillance Act.” In 2018, the U.S. Supreme Court held that a warrant is needed before government agencies can seize your location history from cell-site records. That opinion, Carpenter v. United States, often described as a landmark ruling, has actually become little more than a legal watermark thanks to the machinations of government agencies.
When a government agency wants to know where you’ve been, or anything about you, all it has to do is consult the trove of sensitive personal information on millions of Americans scraped from apps and purchased from third-party data brokers. No warrants required. As they used to say in internet ads, the government knows all about you with this one weird trick. Two responses to PPSA Freedom of Information Act (FOIA) requests show how freely the FBI and DIA access Americans’ personal information. The FBI has a team dedicated to working with cell tower data. Their specialties include “historical CDR (call detail records) analysis and geospatial mapping,” which enables the tracking of people across multiple towers. The FBI conducts “tower dump analysis,” which seems to be the collection of bulk data from cell towers and “real-time cellular tracking” services. The documents obtained by PPSA show that the FBI regularly lends out these services to state and local governments. The Defense Intelligence Agency documents show that the agency uses commercially available data for “cover operations.” Does this mean DIA is using data to help agents impersonate real people? Or is DIA using our personal information as material from which to create fake, chimeric identities, using a blend of personal information from multiple real people? These are just glimpses into how the government uses our personal information, from our movements to our personal interests, relationships, and beliefs. PPSA will continue to use FOIAs and lawsuits to dig out more details about these practices. Credit to the Department of Justice for a voluminous response to our Freedom of Information Act (FOIA) request. Our request concerned the use of stingrays, or cell-site simulators, by that department and its agencies. Out of more than 1,000 pages in DOJ’s response, we’ve found a few gems. Perhaps you can find your own.
Review our digest of this document here, and the source document here. The original FOIA request concerned DOJ policies on cell-site simulators, commonly known by the commercial brand name “stingrays.” These devices mimic cell towers to extract location and other highly personal information from your smartphone. The DOJ FOIA response shows that the FBI in 2021 invested $16.1 million in these cell-site simulators (p. 209) in part to ensure they “are capable of operating against evolving wireless communications.” The bureau also asked for $13 million for “communications intercept resources.” This includes support for the Sensitive Investigations Unit’s work in El Salvador (p. 111). On the policy side, we’ve reported that some federal agencies, such as the Bureau of Alcohol, Tobacco, Firearms and Explosives, maintain that stingrays are not GPS location identifiers for people with cellphones. This is technically true. Stingrays do not download location data or function as GPS locators. But this is too clever by half. Included in this release is an Obama-era statement by former Department of Justice official Sally Yates that undermines this federal claim by stating: “Law enforcement agents can use cell-site simulators to help locate cellular devices whose unique identifiers are known …” (p. 17) This release gives an idea of how versatile stingrays have become. The U.S. Marshals Service (p. 977) reveals that it operates cell-site simulators and passive wireless collection sensors to specifically locate devices inside multi-dwelling buildings. Other details sprinkled throughout this release concern other, more exotic forms of domestic surveillance. For example, the U.S. Marshals Service Service has access to seven aircraft located around the country armed with “a unique combination of USMS ELSUR suite, high resolution video surveillance capability … proven to be the most successful law enforcement package” (p.881-883). A surveillance software, “Dark HunTor,” exposes user data from Tor, the browser meant to make searches anonymous, as well as from dark web searches for information. (p. 105) In addition, the U.S. Marshals Service Service “has created the Open-Source Intelligence Unit (OSINT) to proactively review and research social media content. OSINT identifies threats and situations of concern that may be currently undetected through traditional investigative methods. Analyzing public discourse on social media, its spread (‘likes,’ comments, and shares), and the target audience, the USMS can effectively manage its resources appropriate to the identified threats.” (p. 931) The DOJ release also includes details on biometric devices, from facial recognition software to other biometric identifiers, (p.353), as well as more than $10 million for “DNA Capability Expansion” (p.365). Is that all? Feel free to look for yourself. Targeted Journalists, Political Opponents, NGO Around the World Now another Israeli company joins the NSO Group for its flagrant disregard for human rights, democracy, and digital privacy in the name of profit.
QuaDream has been identified by The Citizen Lab at the Monk School of Global Affairs and Public Policy as the developer of a new spyware, Reign. Like the more notorious Pegasus, Reign infiltrates phones without requiring the target to click on a malicious link or to even take any action at all. Citizen Lab found that Reign can:
And when the job is complete, Reign self-destructs, removing most of the evidence that it was at ever at work in the victim’s phone. For decades, iPhone users enjoyed superior security. Reign took a big bite out of Apple’s vaunted security features. It infected some victims’ phones by sending them an iCloud invitation, following up on previous invitations, which makes the fake resend invisible to the user. Meanwhile, Google has issued some software patches to address vulnerabilities with its Android smartphone. Microsoft, which partnered with Citizen Lab, reported that the technology has been used to surveil journalists, political opposition figures, and an NGO in countries ranging from the Middle East to Central Europe and Latin America. We have seen time and again that commercially developed spyware finds its most lucrative market in sales to repressive governments and the world’s most dangerous criminal enterprises. While the Israeli government seems alert now to the threat posed by the commercial spyware sector, other actors around the world are surely poised to pick up the slack. The arms race between Apple, Google, and Samsung against spyware developers will continue apace. In the meantime, as former Vice President Nelson Rockefeller said: “If you don’t want it known, don’t say it over the phone.” Or anywhere within twenty feet of your smartphone. The New York Times broke the story that a front company in New Jersey signed a secret contract with the U.S. government in November 2021 to help it gain access to the powerful surveillance tools of Israel’s NSO Group.
PPSA previously reported that the FBI had acquired NSO’s signature technology, Pegasus, which can infiltrate a smartphone, strip all its data, and transform it into a 24/7 surveillance device. Mark Mazzetti and Ronen Bergman of The Times now report that the FBI in recent years had performed tests on defenses against Pegasus and “to test Pegasus for possible deployment in the bureau’s own operations inside the United States.” An FBI spokesperson told these journalists the FBI’s version of the software is now inactive. The secret contract also grants the U.S. government access to NSO’s powerful geolocation tool called Landmark. Mazzetti and Ronen report that such NSO technology has been used thousands of time against targets in Mexico – and that Mexico is named as a venue for the use of NSO technology. Two sources told the journalists that the “contract also allows for Landmark to be used against mobile numbers in the United States, although there is no evidence that has happened.” This story is catching the Biden Administration flat-footed, which had declared this technology a national security threat while placing NSO on a Commerce Department blacklist. In light of these new revelations, Members of Congress should ask the Directors of National Intelligence, the CIA, FBI, and DEA:
This breaking story will likely force the Biden White House to promulgate new rules limiting the use of NSO technology by federal law enforcement and intelligence agencies. As it does, Congress should be involved every step of the way. This technology is frightening because NSO tools can be installed remotely on smartphones with the most updated security software, and without the user succumbing to phishing or any other obvious form of attack. The need for a detailed policy limiting the use of these tools is urgent. NSO technology is to ordinary surveillance what nuclear weapons are to conventional weapons. Because nuclear weapons are hard to make, Washington, D.C. had time to plan and enact a global non-proliferation regime that delayed their proliferation. In the case of Pegasus and Landmark, however, this technology easily proliferated in the wild before Washington was even fully aware of its existence. Pegasus has been used by drug cartels to track down and murder journalists. It has been used by an African government to listen in on conversations between the daughter of a kidnapped man and the U.S. State Department. It was famously used to plan the murder of Adnan Khashoggi. Does anyone doubt that Russian and Chinese intelligence have secured their own copies? Now Washington is both racing to catch up with foreign adversaries and limit the use of this technology at the same time. NSO, through its amoral proliferation of dangerous technology, has made the world a riskier place. As federal agencies seek to get their hands on this technology, Congress should paint a bright red line – DO NOT USE DOMESTICALLY, EVER. In “A Scanner Darkly,” a 2006 film based on a Philip K. Dick novel, Keanu Reeves plays a government undercover agent who must wear a “scramble suit” – a cloak that constantly alters his appearance and voice to avoid having his cover blown by ubiquitous facial recognition surveillance.
At the time, the phrase “ubiquitous facial recognition surveillance” was still science fiction. Such surveillance now exists throughout much of the world, from Moscow, to London, to Beijing. Scramble suits do not yet exist, and sunglasses and masks won’t defeat facial recognition software (although “universal perturbation” masks sold on the internet purport to defeat facial tracking). Now that companies like Clearview AI have reduced human faces to the equivalent of personal ID cards, the proliferation of cameras linked to robust facial recognition software has become a privacy nightmare. A year ago, PPSA reported on a technology industry presentation that showed how stationary cameras could follow a man, track his movements, locate people he knows, and compare all that to other data to map his social networks. Facial recognition doesn’t just show where you went and what you did: it can be a form of “social network analysis,” mapping networks of people associated by friendship, work, romance, politics, and ideology. Nowhere is this capability more robust than in the People’s Republic of China, where the surveillance state has reached a level of sophistication worthy of the overused sobriquet “Orwellian.” A comprehensive net of data from a person’s devices, posts, searches, movements, and contacts tells the government of China all it needs to know about any one of 1.3 billion individuals. That is why so many civil libertarians are alarmed by the responses to an ACLU Freedom of Information (FOIA) lawsuit. The Washington Post reports that government documents released in response to that FOIA lawsuit show that “FBI and Defense Department officials worked with academic researchers to refine artificial-intelligence techniques that could help in the identification or tracking of Americans without their awareness or consent.” The Intelligence Advanced Research Projects agency, a research arm of the intelligence community, aimed in 2019 to increase the power of facial recognition, “scaling to support millions of subjects.” Included in this is the ability to identify faces from oblique angles, even from a half-mile away. The Washington Post reports that dozens of volunteers were monitored within simulated real-world scenarios – a subway station, a hospital, a school, and an outdoor market. The faces and identities of the volunteers were captured in thousands of surveillance videos and images, some of them captured by drone. The result is an improved facial recognition search tool called Horus, which has since been offered to at least six federal agencies. An audit by the Government Accountability Office found in 2021 that 20 federal agencies, including the U.S. Post Office and the Fish and Wildlife Service, use some form of facial recognition technology. In short, our government is aggressively researching facial recognition tools that are already used by the Russian and Chinese governments to conduct the mass surveillance of their peoples. Nathan Wessler, deputy director of the ACLU, said that the regular use of this form of mass surveillance in ordinary scenarios would be a “nightmare scenario” that “could give the government the ability to pervasively track as many people as they want for as long as they want.” As we’ve said before, one does not have to infer a malevolent intention by the government to worry about its actions. Many agency officials are desperate to catch bad guys and keep us safe. But they are nevertheless assembling, piece-by-piece, the elements of a comprehensive surveillance state. The Privacy and Civil Liberties Oversight Board (PCLOB) has posted a rich discussion among its board members, civil libertarians, and representatives of the intelligence community.
General Paul Nakasone, who heads the U.S. Cyber Command, gave the group a keynote address that is a likely harbinger of how the intelligence community will approach Congress when it seeks reauthorization of Section 702, an amendment to the Foreign Intelligence Surveillance Act that authorizes the government to surveil foreigners, with a specific prohibition against the targeting of Americans, but also allows “incidental” surveillance of Americans. Gen. Nakasone detailed cases in which would-be subway bombers and ISIS planners were disrupted because of skillful use of 702 surveillance. Mike Harrington of the FBI doubled down with a description of thwarted attacks and looming threats. April Doss, general counsel of the National Security Agency, emphasized how each request from an analyst for surveillance must be reviewed by two supervisors. Civil liberties scholar Julian Sanchez reached back to the formation of the U.S. Constitution to compare today’s use of Section 702 authority to the thinking behind the Fourth Amendment. He asked if a program that mixes the private data of Americans with surveilled foreigners could possibly clear the Founders’ objection to general warrants. (31:50) Jeramie Scott (40:25) of the Electronic Privacy Information Center, who argued for greater transparency in 702 collection, questioned whether “about” collection truly ended with downstream collection (i.e., information taken directly from Google, Facebook, and other social media companies). The NSA declared in 2017 it had ended the practice of such “about” collection, which moves beyond an intelligence target to email chains and people mentioned in a thread. Could such collection still be occurring in downstream surveillance? Travis LeBlanc, a board member who had previously criticized a milquetoast report from PCLOB for a lack of analysis of key programs, seemed liberated by the board’s new chair, Sharon Bradford Franklin. (Chair Franklin also brings a critical eye of surveillance programs, reflecting her views at the Center for Democracy and Technology.) LeBlanc asked Julian Sanchez if the Constitution requires warrants when an individual’s data is searched under Section 702. Sanchez said that delegating such an authority under the honor system has led to FBI’s behaving as if compliance were a game of “whack-a-mole.” (57:15) Cindy Cohn of the Electronic Frontier Foundation suggested PCLOB examine Section 702’s tendency to be subject to “mission creep,” such as the recent practice of using Section 702 to justify surveillance for “strategic competition” as well as the statutory purpose of anti-terrorism. Cohn said she was not aware of any defendant in a criminal trial ever getting access to Section 702 evidence. (128:45) Cohn concluded: “I think we have to be honest at this point that the U.S. has de facto created a national security exception to the U.S. Constitution.” A revealing insight came from Jeff Kosseth, cybersecurity professor at the U.S. Naval Academy. He pointed to a paper he wrote with colleague Chris Inglis that concluded that Section 702 is “constitutional” and “absolutely essential for national security.” (See 143:40) That opinion, Kosseth added, is something he has “reconsidered” over “deep concern about the FBI’s access” to 702 data, especially concerning U.S. persons. Kosseth said: “At a certain point, we must stop giving the nation’s largest law enforcement agency every benefit of the doubt. The FBI cannot play fast and loose with Americans’ most private information. This has to stop now. And if the FBI cannot stop itself, the Congress has to step in.” Congress needs to “step in” regardless: surveillance of Americans should never occur without express authority in a statute passed by the people’s representatives. In response to a Freedom of Information Act request filed by PPSA, the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) responded with a batch of documents, including internal training material. In those documents, the ATF confirmed that it uses cell site simulators, commonly known as “stingrays,” to track Americans.
Stingrays impersonate cell towers to track mobile device users. These devices give the government the ability to conduct sweeping dragnets of the metadata, location, text messages, and other data stored by the cell phones of people within a geofenced area. Through stingrays, the government can obtain a disturbing amount of information. The ATF has gone to great lengths to obfuscate their usage of stingrays, despite one official document claiming stingrays are “used on almost a daily basis in the field.” The ATF stressed that stingrays are not precise location trackers like GPS, despite the plethora of information stingrays can still provide. Answers to questions from the Senate Appropriations Committee about the ATF’s usage of stingrays and license plate reader technology are entirely blacked out in the ATF documents we received. An ATF policy conceals the use of these devices from their targets, even when relevant to their legal defense. Example: When an ATF agent interviewed by a defense attorney revealed the use of the equipment, a large group email was sent out saying: "This was obviously a mistake and is being handled." The information released by the ATF confirms the agency is indeed utilizing stingray technology. Although the agency attempted to minimize usage the usage of stingrays, it is clear they are being widely used against Americans. PPSA will continue to track stingray usage and report forthcoming responses to pending Freedom of Information Act requests with federal agencies. In the course of the 2020 presidential election, the FBI approached and pressured Twitter to grant the agency access to private user data. This information has come to light as part of the “Twitter Files” expose, a sprawling series of reports based on internal documents made available through Elon Musk’s ownership of the site.
In January of 2020, Yoel Roth, former Twitter Trust and Safety head, was pressured by the FBI to provide access to data ordinarily obtained through a search warrant. Roth had been previously approached by the FBI’s national security cyber wing in 2019 and had been asked to revise Twitter’s terms of service to grant access to the site’s data feed to a company contracted by the Bureau. Roth drafted a response to the FBI, reiterating the site’s “long-standing policy prohibiting the use of our data products and APIs for surveillance and intelligence-gathering purposes, which we would not deviate from.” While Twitter would continue to be a partner to the government to combat shared threats, the company reiterated that the government must continue to “request information about Twitter users or their content […] in accordance with [the] valid legal process.” Twitter and other social media platforms have been aware of increasing FBI encroachment for some time. In January of 2020, Carlos Monje Jr., former Director of Public Policy and Philanthropy at Twitter, wrote to Roth, saying “we have seen a sustained (if uncoordinated) effort by the IC [intelligence community] to push us to share more info & change our API policies. They are probing & pushing everywhere they can (including by whispering to congressional staff)...” Accordingly, from January 2020 and November 2022, over 150 emails were sent between the FBI and Roth. Not only is the FBI trying to gain a backdoor into Twitter’s data stream, in several cases, the Bureau has pressured Twitter to pre-emptively censor content, opinions, and people. For example, the agency allegedly demanded that Twitter tackle election misinformation by flagging specific accounts. The FBI pointed to six accounts, four of which were ultimately terminated. One of those profiles was a notorious satire account, which calls into question the FBI’s ability to spot fakes. In November, the FBI handed Twitter a list of an additional twenty-five accounts that “may warrant additional action.” And, of course, there is the story about Hunter Biden’s laptop. According to the “Twitter Files,” the FBI pressured Twitter to censor the story as a possible Russian misinformation attack. This was a major story mere days before a presidential election, which the FBI worked to suppress. Expanding efforts by the FBI to gain a backdoor into private social media information is a grave concern, as is the Bureau’s efforts to suppress information. That the agency continues to pursue such options even after being advised that those options violate normal legal procedures is yet another example of how the agency has become increasingly politicized, to the extent that a House Judiciary Committee report described the Bureau’s hierarchy as “rotted at its core” and embracing a “systemic culture of unaccountability.” This is a serious cause for concern given the widespread effects that the agency’s use and potential misuse of its authorities can have on the country as a whole. The largest web browsers are scrutinizing their dependence on root certificate authority TrustCor Systems after researchers discovered it has links with shady spyware producers and distributors.
TrustCor is an agency that vouches for the legitimacy of websites reached by hundreds of millions of users every day. Web browsers employ hundreds of such root certificate authorities to fulfill a vital role in online data security. But with TrustCor Systems, malicious spyware could have had a backdoor into a critical component of U.S. internet infrastructure. According to a Washington Post report on research from Joel Readon at the University of Calgary and Serge Egelman of the University of California, Berkeley, TrustCor’s “Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade.” TrustCor’s products include an email service that has been found to host spyware developed by a Panamanian company. According to The Post, Google has since banned all software containing that spyware code from its app store. TrustCor also has the same president, agents, and holding-company partners listed in Panamanian records as another company known as Measurement Systems, which has been caught “paying developers to include code in a variety of innocuous apps to record and transmit users’ phone numbers, email addresses and exact locations.” Apps with that code were downloaded over “60 million times, including 10 million downloads of Muslim prayer apps.” PPSA has reported how the federal government maintains an advanced surveillance network to stalk American Muslims. Who knows what they can do with these data? |
Categories
All
|